cbcvebase.
CVE-2012-2335
published 2012-05-11

CVE-2012-2335: php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and…

PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
32.54%
98.1th percentile
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.

Affected

2 ranges
VendorProductVersion rangeFixed in
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

pathphp-wrapper.fcgi
command?+-s
  • Detect exploit attempts by inspecting HTTP query strings that begin with a '+- ' sequence (no '=' character present) targeting PHP-CGI endpoints, as this is the bypass pattern for CVE-2012-2335.
  • Apply mod_rewrite rules to block query strings lacking '=' that contain '-' or '%2d, which covers the CGI argument injection attack surface.
  • Flag or alert on PHP-CGI wrapper scripts that use unquoted '$*' to pass arguments, as this is the root cause of the CVE-2012-2335 bypass (insecure wrapper pattern).
  • Monitor for active exploitation attempts against PHP-CGI; public Metasploit module and honeypot-confirmed in-the-wild exploitation exist for this vulnerability class.
  • ·CVE-2012-2335 only affects PHP deployments using CGI mode (php-cgi / php-wrapper.fcgi); the default Apache mod_php configuration is NOT affected.
  • ·The vulnerability is in the insecure wrapper script (php-wrapper.fcgi using '$*'), not in PHP itself; PHP 5.3.13 and 5.4.3 mitigate it by skipping leading spaces in the query string, but fixing the wrapper script is the correct remediation.
  • ·CVE-2012-2335 is distinct from CVE-2012-2311 (which covers '%3D' bypass of the '=' check) and CVE-2012-2336 (second php_getopt() call not skipped); detection rules should account for all three bypass variants.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat9.8CRITICAL
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.